[Nagiosplug-devel] [ nagiosplug-Feature Requests-3574197 ] check_ssh add --fingerprint option

SourceForge.net noreply at sourceforge.net
Tue Dec 4 14:02:05 CET 2012

Next message: [Nagiosplug-devel] [ nagiosplug-Feature Requests-3593130 ] check_http -M should also look for Age header
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Feature Requests item #3574197, was opened at 2012-10-03 11:07
Message generated for change (Comment added) made by hjanuschka
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397600&aid=3574197&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: Marc Haber (zugschlus)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_ssh add --fingerprint option

Initial Comment:
Hi,

please consider adding to the check_ssh plugin a check whether the fingerprint is what we expected. One would configure into the check the expected fingerprint, and the check would go into warning or critical if the fingerprint presented by the remote sshd is not what we expected.

Greetings
Marc


----------------------------------------------------------------------

Comment By: Helmut Januschka (hjanuschka)
Date: 2012-12-04 05:02

Message:
checkout the git pull request
https://github.com/nagios-plugins/nagios-plugins/pull/26


i have reworked the check_ssh - using libssh to check version and
fingerprint (instead of serverhello version guessing)

----------------------------------------------------------------------

Comment By: J. Bern (j-bern)
Date: 2012-10-03 11:52

Message:
I'm afraid that you're expecting a bit much from good ol' check_ssh here.
It makes the TCP connection and has a look at the server hello to determine
the server's versions, but it never proceeds into the crypto setup stages,
which it would need to do to actually obtain the server's pubkey.

However, any service check using *check_by_ssh* against the target machine
- and assuming the usual ssh config params - should yell bloody murder
(well, actually "@@@@@@@@@@@@",the first line of ssh's "someone might be
doing something nasty" warning) when the host's pubkey has changed.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397600&aid=3574197&group_id=29880

Next message: [Nagiosplug-devel] [ nagiosplug-Feature Requests-3593130 ] check_http -M should also look for Age header
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Devel mailing list